<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>
    <title>org.bhf.security.authentication</title>
    <meta http-equiv="Content-type" content="text/html; charset=iso-8859-1">
</head>

<body style="background: #FFF">

<p>
This package contains classes implementing the authentication aspect
of security.  Authentication is the process of producing a well formed
<code>Subject</code> from a set of credentials, such as a login ID
and password.  The composition of this <code>Subject</code> forms the basis
for the contract between authentication and authorization.
Successful authentication results in a <code>Subject</code>
that is populated with the following:
</p>

<ul>
    <li>
        One <code>org.bhf.security.common.UserID</code>
        as a <code>Principal</code>
    </li>
    <li>
        One <code>org.bhf.security.common.LoginID</code>
        as a public credential
    </li>
    <li>
        Zero or more <code>org.bhf.security.common.Role</code>s
        as <code>Principal</code>.
    </li>
</ul>

<p>
In addition, a <code>Subject</code> may also have zero or more
<code>PermissionPrincipal</code>s - permissions assigned to the
<code>Subject</code> during the process of authentication rather
than through a security policy.  The authentication process may add
additional <code>Principal</code>s and credentials to the <code>Subject</code>
that are implementation specific.
</p>

<p>
An application is responsible for passing the <code>Subject</code> to the
authorization mechanism, such as the <code>RoleBasedSecurityManager</code>.
In multi-user systems, such as Web applications, the <code>Subject</code>
is passed contetxually using <code>ContextSubject</code> to associate a
<code>Subject</code> with the current thread of execution.
</p>

<p>
Authentication itself is performed through
the <code>AuthenticationFacility</code> (a facility can be considered
a "local service").  The authenticaton process can be decorated using
<code>AuthenticationFilter</code>s.  <code>AuthenticationFilter</code>s
are specified and ordered as a part of implementation specific configuration.
Filters themselves are configured via <code>AuthenticationConfig</code>
implementations.
</p>

<p>
The actual source of authentication (database, Web service, etc...)
is specified via the <code>AuthenticationProvider</code> interface.
</p>

<p>
A limited amount of administrative functionality is exposed through
the <code>AuthenticationAdmin</code> and <code>AuthenticationAdminProvider</code>
interfaces.
</p>

</body>

</html>